If your internal CA's root certificate is already distributed to client, then you would create a Subordinate CA on your root CA server and export the certificate and private key it generates and import that into MWG.
This is not the same process as a Web Server certificate, so don't get confused.
The MWG does not need to generate the the CSR, Microsoft Certificate Services does that by itself and exports the keypair for import into MWG.
If you are not using Microsoft CA, consult documentation for you PKI servers. Any openSSL commandline can generate the CSR.
See PD22642 on page 41 (https://kc.mcafee.com/corporate/index?page=content&id=PD22642) for creating/importing a sub-ordinate CA from a microsoft authority. It contains the necessary commands to do so. The guide is for Web Gateway 6, but is relevent in any situation (6 or 7).
Thank you both for your replies. I will do some reading up regarding the subordinate CA and will also have look at the PD. Will update this threat in the week.